Focus

Syslog Flow Export

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Administration
Deployment
Incidents & Alerts
CloudBlades
Version
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
Reference
Release Notes
Version
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades

Syslog Server Support in Prisma SD-WAN

Configure Syslog Server Support

Syslog Flow Export

Prisma SD-WAN will now generate Syslog messages on initial flow-rule classification and end-of-flow for all flows handled by the ION device.

Where Can I Use This?	What Do I Need?
Prisma SD-WAN	Active Prisma SD-WAN license

Generate Syslog messages on initial flow-rule classification and end-of-flow for all flows handled by the ION device. These Syslog messages are in RFC 5424 format. You may configure to export flow logs from an ION device to one or more Syslog servers.

The minimum device software version required for flow logging is Release 5.1.17 or Release 5.2.3.

The Format of the flow log and description of the different fields exported in the flow logs are listed below:

Some of the fields are reserved for future use, and therefore, will not be populated in the flow log.

Field Name	Description
event time	Time event occurred on the ION device
src ip	Source IP address
dst ip	Destination IP address
dst port	Destination port
protocol name	Protocol name
reserved for future use	Field will be always blank in cgxFlowLogV1
reserved for future use	Field will be always blank in cgxFlowLogV1
pkts sent	Number of packets sent from src ip to dst ip
pkts recvd	Number of packets received from dst ip by src ip
bytes sent	Total bytes sent from src ip to dst ip
bytes recvd	Total bytes received from dst ip by src ip
src interface	Interface from which traffic originated
dst interface	Interface from which traffic egressed
path id	Prisma SD-WAN Path ID of the WAN Path
app name	Name of Prisma SD-WAN-matched Application
flow event	Event that triggered flow export: New Flow Flow Update Delete Flow
zbfw classification rules	One or more ZBFW classification rules separated by a semi-colon(;). ZBFW classification rules include: Rule Name: Source Zone Name: Destination Zone Name: Action: Action Code ALLOW—Flow was Allowed DENY—Flow was Denied REJECT—Flow was rejected (Deny + Send TCP RST) UNK_SOURCE_ZONE_DENY—Flow was Denied due to Unknown Source Zone UNK_DESTINATION_ZONE_DENY—Flow was Denied due to Unknown Destination Zone UNK_SOURCE_DESTINATION_ZONE_DENY—Flow was Denied due to Unknown Source and Destination Zone Possible Action Code Values: 1 = ALLOW 2 = DENY 3 = REJECT 4 = UNK_SOURCE_ZONE_DENY 5 = UNK_DESTINATION_ZONE_DENY 6 = UNK_SOURCE_DESTINATION_ZONE_DENY

Sample flow log in RFC 5424 format as shown below:

<13>1 2020-01-28T23:46:17.000035+00:00 T1S3_SPOKE1 cgxFlowLogV1 13593 - -2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonPriWI1,15796434157670062,enterprise-http,New Flow,Allow-All:allow:1

The above Syslog message has a header and a body. The Syslog message values populated for the header and the body are:

Syslog Message Header	Header Component Sample Values
Priority	<13>
Version	1
Syslog export time in UTC	2020-01-28T23:46:17.000035+00:00
Element device name	T1S3_SPOKE1
App name to identify flow event logs	cgxFlowLogV1
Process id of log generator	13593
Message id (empty)	Message id field is not populated by the ION device at this time.
Structured data (empty)	Structured data field is not populated by the ION device at this time.
Syslog Message Body	Syslog Message Sample Body
Flow event log in CSV format	2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonPriWI1,15796434157670062,enterprise-http,New Flow,Allow-All:allow:1

Syslog message body shown above in CSV format can be interpreted as:

Headers	Sample Values
Time event happened	2020-01-28T23:46:17
src ip	10.2.53.102
src port	52520
dst ip	10.2.13.100
dst port	80
protocol name	tcp
pkts sent	0
pkts recvd	0
bytes sent	0
bytes recvd	0
dst interface	LondonPriWI1
path id	15796434157670062
app name	enterprise-http
flow event	New Flow
zbfw classification rules	Allow-All:self:unknown:allow:1

Syslog Server Support in Prisma SD-WAN

Configure Syslog Server Support

Prisma SD-WAN Docs

Syslog Flow Export

Prisma SD-WAN Docs

Syslog Flow Export

Activation & Onboarding

SASE

Visibility & Monitoring

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices